[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

Sun Oct 28 20:52:08 UTC 2018

The branch OpenSSL_1_1_1-stable has been updated
       via  f1b12b8713a739f27d74e6911580b2e70aea2fa4 (commit)
      from  d2953e5e7d8be6e83b35683f41bc0ae971782d16 (commit)


- Log -----------------------------------------------------------------
commit f1b12b8713a739f27d74e6911580b2e70aea2fa4
Author: Pauli <paul.dale at oracle.com>
Date:   Mon Oct 29 06:50:51 2018 +1000

    DSA mod inverse fix
    
    There is a side channel attack against the division used to calculate one of
    the modulo inverses in the DSA algorithm.  This change takes advantage of the
    primality of the modulo and Fermat's little theorem to calculate the inverse
    without leaking information.
    
    Thanks to Samuel Weiser for finding and reporting this.
    
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/7487)
    
    (cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79)

-----------------------------------------------------------------------

Summary of changes:
 crypto/dsa/dsa_ossl.c | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index ac1f65a..ca20811 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -23,6 +23,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
                          DSA_SIG *sig, DSA *dsa);
 static int dsa_init(DSA *dsa);
 static int dsa_finish(DSA *dsa);
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+                                      BN_CTX *ctx);
 
 static DSA_METHOD openssl_dsa_meth = {
     "OpenSSL DSA method",
@@ -259,7 +261,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
         goto err;
 
     /* Compute  part of 's = inv(k) (m + xr) mod q' */
-    if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
+    if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
         goto err;
 
     BN_clear_free(*kinvp);
@@ -393,3 +395,31 @@ static int dsa_finish(DSA *dsa)
     BN_MONT_CTX_free(dsa->method_mont_p);
     return 1;
 }
+
+/*
+ * Compute the inverse of k modulo q.
+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
+ * mod-exp operation.  Both the exponent and modulus are public information
+ * so a mod-exp that doesn't leak the base is sufficient.  A newly allocated
+ * BIGNUM is returned which the caller must free.
+ */
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+                                      BN_CTX *ctx)
+{
+    BIGNUM *res = NULL;
+    BIGNUM *r, *e;
+
+    if ((r = BN_new()) == NULL)
+        return NULL;
+
+    BN_CTX_start(ctx);
+    if ((e = BN_CTX_get(ctx)) != NULL
+            && BN_set_word(r, 2)
+            && BN_sub(e, q, r)
+            && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
+        res = r;
+    else
+        BN_free(r);
+    BN_CTX_end(ctx);
+    return res;
+}
